Skip to content

Commit

Permalink
Merge pull request #1293 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@otetard
otetard authored Sep 6, 2023
2 parents bb8c1f4 + 0da7b53 commit e05cd70
Show file tree
Hide file tree
Showing 2 changed files with 174 additions and 15 deletions.
95 changes: 80 additions & 15 deletions ...perations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,21 +40,24 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"file"
],
"type": [
"access",
"change"
]
],
"action": "edit",
"dataset": "audit#activity"
},
"@timestamp": "2014-03-17T15:39:18.460000Z",
"user": {
"id": "ABC123xyz",
"email": "[email protected]"
},
"google-drive-reports": {
"actor": {
"email": "[email protected]"
},
"parameters": {
"visibility": "shared_internally"
"google": {
"report": {
"actor": {
"email": "[email protected]"
},
"parameters": {
"visibility": "shared_internally"
}
}
},
"network": {
Expand Down Expand Up @@ -95,18 +98,21 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"file"
],
"type": [
"access",
"change"
]
],
"action": "edit",
"dataset": "audit#activity"
},
"@timestamp": "2014-03-17T15:39:18.460000Z",
"user": {
"id": "ABC123xyz",
"email": "[email protected]"
},
"google-drive-reports": {
"actor": {
"email": "[email protected]"
"google": {
"report": {
"actor": {
"email": "[email protected]"
}
}
},
"network": {
Expand Down Expand Up @@ -134,6 +140,63 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "test_drive_view_document.json"

```json

{
"message": "{\n \"kind\": \"admin#reports#activity\",\n \"id\": {\n \"time\": \"2023-09-04T08:42:51.615Z\",\n \"uniqueQualifier\": \"-2222222222222222222\",\n \"applicationName\": \"drive\",\n \"customerId\": \"111111111\"\n },\n \"actor\": {\n \"email\": \"[email protected]\",\n \"profileId\": \"444444444444444444444\"\n },\n \"ipAddress\": \"1.2.3.4\",\n \"events\": [\n {\n \"type\": \"access\",\n \"name\": \"view\",\n \"parameters\": [\n {\n \"name\": \"primary_event\",\n \"boolValue\": true\n },\n {\n \"name\": \"billable\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_is_shared_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_team_drive_id\",\n \"value\": \"DDD_111111111111111\"\n },\n {\n \"name\": \"owner\",\n \"value\": \"J.DOE\"\n },\n {\n \"name\": \"doc_id\",\n \"value\": \"333333333333333333333333333333333\"\n },\n {\n \"name\": \"doc_type\",\n \"value\": \"folder\"\n },\n {\n \"name\": \"is_encrypted\",\n \"boolValue\": false\n },\n {\n \"name\": \"doc_title\",\n \"value\": \"MyDocs\"\n },\n {\n \"name\": \"visibility\",\n \"value\": \"people_within_domain_with_link\"\n },\n {\n \"name\": \"shared_drive_id\",\n \"value\": \"DDD_222222222222222\"\n },\n {\n \"name\": \"originating_app_id\",\n \"value\": \"666666666666\"\n },\n {\n \"name\": \"actor_is_collaborator_account\",\n \"boolValue\": false\n },\n {\n \"name\": \"owner_is_team_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"team_drive_id\",\n \"value\": \"DDD_888888888888888\"\n }\n ]\n }\n ]\n}\n",
"event": {
"kind": "event",
"category": [
"file"
],
"type": [
"access"
],
"action": "view",
"dataset": "admin#reports#activity"
},
"@timestamp": "2023-09-04T08:42:51.615000Z",
"user": {
"id": "111111111"
},
"google": {
"report": {
"actor": {
"email": "[email protected]"
},
"parameters": {
"visibility": "people_within_domain_with_link"
}
}
},
"network": {
"application": "drive"
},
"source": {
"ip": "1.2.3.4",
"address": "1.2.3.4"
},
"file": {
"gid": "DDD_111111111111111",
"owner": "J.DOE",
"type": "folder",
"name": "MyDocs"
},
"related": {
"user": [
"J.DOE"
],
"ip": [
"1.2.3.4"
]
}
}
```





Expand All @@ -144,15 +207,17 @@ The following table lists the fields that are extracted, normalized under the EC
| Name | Type | Description |
| ---- | ---- | ---------------------------|
|`@timestamp` | `date` | Date/time when the event originated. |
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.dataset` | `keyword` | Name of the dataset. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`file.gid` | `keyword` | Primary group ID (GID) of the file. |
|`file.name` | `keyword` | Name of the file including the extension, without the directory. |
|`file.owner` | `keyword` | File owner's username. |
|`file.type` | `keyword` | File type (file, dir, or symlink). |
|`google-drive-reports.actor.email` | `keyword` | Drive actor email |
|`google-drive-reports.parameters.visibility` | `keyword` | Visibility of the Drive item associated with the activity |
|`google.report.actor.email` | `keyword` | Drive actor email |
|`google.report.parameters.visibility` | `keyword` | Visibility of the Drive item associated with the activity |
|`network.application` | `keyword` | Application level protocol name. |
|`source.ip` | `ip` | IP address of the source. |
|`user.email` | `keyword` | User email address. |
Expand Down
94 changes: 94 additions & 0 deletions ...perations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5023,6 +5023,100 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "sysmon_1_process_name.json"

```json

{
"message": "{\"EventTime\":\"2023-09-05 12:28:34\",\"Hostname\":\"foo-vm\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":1,\"OpcodeValue\":0,\"RecordNumber\":13871322,\"ProcessID\":2992,\"ThreadID\":748,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2023-09-05 12:28:34.887\\r\\nProcessGuid: {178446c4-1ef2-64f7-fa8d-010000001100}\\r\\nProcessId: 18144\\r\\nImage: C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\SDXHelper.exe\\r\\nFileVersion: 16.0.16626.20170\\r\\nDescription: Microsoft Office SDX Helper\\r\\nProduct: Microsoft Office\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: SDXHELPER.EXE\\r\\nCommandLine: \\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\sdxhelper.exe\\\" /onlogon\\r\\nCurrentDirectory: C:\\\\Windows\\\\system32\\\\\\r\\nUser: foo-vm\\\\adminuser\\r\\nLogonGuid: {178446c4-8d94-6495-fdfa-190200000000}\\r\\nLogonId: 0x219FAFD\\r\\nTerminalSessionId: 2\\r\\nIntegrityLevel: High\\r\\nHashes: MD5=F924BBC6FBF646FA0478AEBE5D37504C,SHA256=4494AA7BF1058262F3D2F412B681AF2AF42E34490144FBFD0DB579D966B8FBB6,IMPHASH=0AE5922AFCEF4767754A10F016CD4B30\\r\\nParentProcessGuid: {178446c4-7a9f-6491-2800-000000001100}\\r\\nParentProcessId: 1772\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\svchost.exe\\r\\nParentCommandLine: C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvfoo -p -s Schedule\\r\\nParentUser: NT AUTHORITY\\\\SYSTEM\",\"Category\":\"Process Create (rule: ProcessCreate)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2023-09-05 12:28:34.887\",\"ProcessGuid\":\"{178446c4-1ef2-64f7-fa8d-010000001100}\",\"Image\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\SDXHelper.exe\",\"FileVersion\":\"16.0.16626.20170\",\"Description\":\"Microsoft Office SDX Helper\",\"Product\":\"Microsoft Office\",\"Company\":\"Microsoft Corporation\",\"OriginalFileName\":\"SDXHELPER.EXE\",\"CommandLine\":\"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\sdxhelper.exe\\\" /onlogon\",\"CurrentDirectory\":\"C:\\\\Windows\\\\system32\\\\\",\"User\":\"foo-vm\\\\adminuser\",\"LogonGuid\":\"{178446c4-8d94-6495-fdfa-190200000000}\",\"LogonId\":\"0x219fafd\",\"TerminalSessionId\":\"2\",\"IntegrityLevel\":\"High\",\"Hashes\":\"MD5=F924BBC6FBF646FA0478AEBE5D37504C,SHA256=4494AA7BF1058262F3D2F412B681AF2AF42E34490144FBFD0DB579D966B8FBB6,IMPHASH=0AE5922AFCEF4767754A10F016CD4B30\",\"ParentProcessGuid\":\"{178446c4-7a9f-6491-2800-000000001100}\",\"ParentProcessId\":\"1772\",\"ParentImage\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"ParentCommandLine\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvfoo -p -s Schedule\",\"ParentUser\":\"NT AUTHORITY\\\\SYSTEM\",\"EventReceivedTime\":\"2023-09-05 12:28:35\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}",
"event": {
"code": "1",
"message": "Process Create:\r\nRuleName: -\r\nUtcTime: 2023-09-05 12:28:34.887\r\nProcessGuid: {178446c4-1ef2-64f7-fa8d-010000001100}\r\nProcessId: 18144\r\nImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\SDXHelper.exe\r\nFileVersion: 16.0.16626.20170\r\nDescription: Microsoft Office SDX Helper\r\nProduct: Microsoft Office\r\nCompany: Microsoft Corporation\r\nOriginalFileName: SDXHELPER.EXE\r\nCommandLine: \"C:\\Program Files\\Microsoft Office\\root\\Office16\\sdxhelper.exe\" /onlogon\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: foo-vm\\adminuser\r\nLogonGuid: {178446c4-8d94-6495-fdfa-190200000000}\r\nLogonId: 0x219FAFD\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: MD5=F924BBC6FBF646FA0478AEBE5D37504C,SHA256=4494AA7BF1058262F3D2F412B681AF2AF42E34490144FBFD0DB579D966B8FBB6,IMPHASH=0AE5922AFCEF4767754A10F016CD4B30\r\nParentProcessGuid: {178446c4-7a9f-6491-2800-000000001100}\r\nParentProcessId: 1772\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvfoo -p -s Schedule\r\nParentUser: NT AUTHORITY\\SYSTEM",
"provider": "Microsoft-Windows-Sysmon",
"reason": "Microsoft Office SDX Helper"
},
"@timestamp": "2023-09-05T12:28:34.887000Z",
"process": {
"command_line": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe /onlogon",
"parent": {
"command_line": "c:\\windows\\system32\\svchost.exe -k netsvfoo -p -s schedule",
"executable": "c:\\windows\\system32\\svchost.exe",
"name": "svchost.exe",
"working_directory": "c:\\windows\\system32\\"
},
"executable": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe",
"ppid": "1772",
"thread": {
"id": 748
},
"working_directory": "c:\\windows\\system32\\",
"pid": 18144,
"id": 18144,
"hash": {
"imphash": "0ae5922afcef4767754a10f016cd4b30",
"md5": "f924bbc6fbf646fa0478aebe5d37504c",
"sha256": "4494aa7bf1058262f3d2f412b681af2af42e34490144fbfd0db579d966b8fbb6"
},
"name": "sdxhelper.exe"
},
"action": {
"record_id": 13871322,
"type": "Microsoft-Windows-Sysmon/Operational",
"id": 1,
"properties": [
{
"Image": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe",
"ParentImage": "c:\\windows\\system32\\svchost.exe",
"AccountName": "SYSTEM",
"AccountType": "User",
"Domain": "NT AUTHORITY",
"EventType": "INFO",
"OpcodeValue": 0,
"ProcessGuid": "{178446c4-1ef2-64f7-fa8d-010000001100}",
"ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"Severity": "INFO",
"Task": 1,
"User": "foo-vm\\adminuser",
"SourceName": "Microsoft-Windows-Sysmon",
"Keywords": "-9223372036854775808"
}
],
"name": "Process creation"
},
"log": {
"hostname": "foo-vm",
"level": "info"
},
"host": {
"hostname": "foo-vm",
"name": "foo-vm"
},
"os": {
"family": "windows",
"platform": "windows"
},
"user": {
"id": "S-1-5-18",
"name": "adminuser",
"domain": "foo-vm"
},
"related": {
"hash": [
"4494aa7bf1058262f3d2f412b681af2af42e34490144fbfd0db579d966b8fbb6",
"f924bbc6fbf646fa0478aebe5d37504c"
],
"hosts": [
"foo-vm"
],
"user": [
"adminuser"
]
}
}
```


=== "sysmon_20.json"

```json
Expand Down

0 comments on commit e05cd70

Please sign in to comment.